California Legislature Makes Last-Minute Changes to New Data Privacy Law

As California’s legislative session came to a close late last month, the state’s lawmakers passed SB-1121, approving a series of tweaks to the California Consumer Privacy Act of 2018 or CCPA, the far-ranging data privacy law enacted earlier this summer. The new bill now heads to the governor for consideration.

As we have previously blogged, the CCPA, as originally enacted, was fast-tracked through the legislative chamber, and contained a number of new requirements governing how businesses collect, store, and use consumers’ personal data. It is slated to come in to effect on January 1, 2020. Though limited on its face to business activities within California, because so many of America’s leading tech companies are headquartered there, we’ve observed that CCPA is expected to have broad-reaching implications.

Though lawmakers have billed SB-1121 as providing largely “technical and clarifying amendments” to the controversial law “to ensure proper implementation,” lawmakers also acknowledged that the new bill, if signed into law by Governor Jerry Brown, “includes several more substantive changes sought by various stakeholders” including the tech industry and privacy advocates who were expected to challenge the initial CCPA’s implementation through a ballot initiative this November. The new bill aims to avoid this process by responding to a number of wide-ranging concerns.

Some of the more significant substantive amendments to the CCPA embodied in SB-1121 include the following:

SB-1121 revises the definition of what constitutes “personal information” under the CCPA, making clear that data is considered “personal information” only if it falls in to certain categories which “identif[y], relate[ ] to, describe[ ], is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” While this definition remains broad and subject to interpretation, it removes the “per se” definition of “personal information” in the original Act.

To address concerns from the California Attorney General, SB-1121 removes the CCPA’s requirement that consumers notify the AG before bringing a private action under the Act, and eliminates the Attorney General’s ability to prohibit a private action from going forward.

Similarly, SB-1121 gives the California AG until July 1, 2020 to promulgate interpreting regulations, and prohibits the California AG from commencing enforcement actions under the Act until six months thereafter or July 1, 2020, whichever comes first.

SB-1121 also expands various carve outs in the CCPA, making clear that it does not generally apply to information collected by financial institutions covered by the federal Gramm-Leach-Bliley act or its state law companion, the California Financial Information Privacy Act.

Likewise, the SB-1121 makes clear the CCPA does not generally govern information collected by institutions governed by the federal Health Insurance Portability and Accountability Act (i.e., HIPAA) or the California Confidentiality of Medical Information Act.

SB-1121 also allocates civil penalties imposed and settlements reached for a violation of the CCPA to the California Consumer Privacy Fund, and removes the requirement that 80 percent of such proceeds be given to the jurisdiction initiating the enforcement action. This makes clear that under the revised law, the Attorney General is expected to be the primary enforcer of the CCPA, as opposed to local governments.

Though SB-1121 does clarify a number of provisions of the CCPA, commentators have already observed that even if it becomes law later this fall when it heads to the Governor’s desk, a number of other ambiguities in the law remain, and will need to be addressed in future legislative sessions. We will continue to follow these developments on this blog.